<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Protocol-Vulnerability - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/protocol-vulnerability/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 16:50:28 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/protocol-vulnerability/feed.xml" rel="self" type="application/rss+xml"/><item><title>KNX Protocol Vulnerability CVE-2023-4346 Allows Device Purging and Lockout</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2023-4346-knx-protocol/</link><pubDate>Wed, 15 Jul 2026 16:50:28 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2023-4346-knx-protocol/</guid><description>An overly restrictive account lockout mechanism vulnerability, CVE-2023-4346, in KNX Association KNX Protocol Connection Authorization Option 1 could allow an attacker to purge all devices without additional security options enabled and set a BCU key to lock the device, leading to denial of service and data destruction.</description><content:encoded><![CDATA[<p>CVE-2023-4346 is a high-severity vulnerability discovered in the KNX Association's KNX Protocol Connection Authorization Option 1. This flaw stems from an overly restrictive account lockout mechanism within the protocol. Exploitation of this vulnerability enables an attacker to remotely purge all device configurations on targeted systems that lack additional security options and subsequently set a Bus Coupling Unit (BCU) key. This action effectively locks the compromised devices, rendering them inoperable and causing a denial of service. The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, indicating it has been actively exploited in the wild. Organizations are advised to apply vendor mitigations and ensure compliance with CISA's BOD 26-04 guidance to mitigate immediate risks.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker targets industrial control systems or smart building infrastructure utilizing KNX Protocol Connection Authorization Option 1.</li>
<li>The attacker identifies specific vulnerable devices that have KNX Protocol Connection Authorization Option 1 enabled but lack additional vendor-recommended security configurations.</li>
<li>The attacker initiates a series of deliberate, repeated, and failed authentication attempts against the targeted KNX devices to trigger the overly restrictive account lockout mechanism.</li>
<li>The flawed KNX protocol implementation, in response to the lockout condition, incorrectly purges all existing device configurations and settings from the compromised devices.</li>
<li>Following the configuration purge, the attacker exploits the underlying vulnerability to establish unauthorized control over the device's Bus Coupling Unit (BCU) key.</li>
<li>The attacker then sets a new, malicious BCU key on the affected KNX devices, effectively reconfiguring their access credentials.</li>
<li>The newly set BCU key locks the devices, making them inaccessible and inoperable to legitimate administrators and users.</li>
<li>This exploitation results in a denial of service for the KNX devices and irreversible data destruction due to the configuration purge.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2023-4346 leads to severe operational disruption and data loss within affected KNX-based systems. Attackers can purge all device configurations, effectively wiping critical operational settings. Following this, the ability to set a BCU key means legitimate users and administrators are locked out, rendering the devices inoperable. This results in a complete denial of service for the affected infrastructure, potentially impacting smart building automation, industrial control systems, and other critical functions. The vulnerability's presence in CISA's KEV catalog underscores its critical nature and confirmed real-world exploitation, necessitating urgent mitigation to prevent widespread operational failure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply mitigations in accordance with vendor instructions for KNX Protocol Connection Authorization Option 1 to address CVE-2023-4346 immediately.</li>
<li>Ensure compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk guidance by patching CVE-2023-4346 on all affected systems by the due date of 2026-07-29.</li>
<li>Evaluate each asset's internet exposure and ensure adherence to BOD 26-04 patching guidelines to protect devices utilizing KNX Protocol Connection Authorization Option 1.</li>
<li>If vendor mitigations for CVE-2023-4346 are unavailable, consider discontinuing use of the affected product or isolating it from critical networks.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>vulnerability</category><category>protocol-vulnerability</category><category>ics-scada</category><category>smart-building</category><category>denial-of-service</category></item></channel></rss>